m^*Archer eGRC- 

SENSITIVE BUT UNCLASSIFIED 

SOC IMS: SWI-20110808-224136 
Last Updated: 7/21/2016 8:04 PM 


SOC Incident Management System 


IMS User 

(b) (6), (b) 

Restrict Access 

Contact: 


To: 

Record 

All IMS Users 

Record Source: 

Permissions 



Group: 




Contact Details 

Enter the NASA AUID or email address of the Contact, and click "Lookup Contact Details" to automatically 
retrieve the information. 

AUID: Email: 

Enter Contact information below if the primary contact 
is not an IMS user 


Contact Last (b) 

Contact First 

(b) (6), 

Name: (6) 

Name: 

(b) (7) 

Contact Role: Other 

Contact Office 

(b) (6), (b) 


Phone: 


Contact E-mail: (b) (6), (b) (7)(C) 

Contact Cell 



Phone: 


Contact AUID: 

Contact NASA 



Center: 


Contact 

Contact Room 


Building: 

Number: 



Contact Type: 


General Details 


SOC Tracking 

SWI-20110808-224136 

Categorization: 

Work-Item 

Number: 




Date Record 

8/8/2011 2:54 PM 

Incident Time 

UTC - Coordinated Universal Time Zone (GMT) 

Created (UTC): 


Zone: 



Title: NASA user password and more 


Brief Looks like Teampoison and Anonymous are releasing something with regards to this. Their MO is usually SOLI, and dump any 

Description: ^^d everything they can. So can probably pivot around any publicly facing web systems that the user in this dump has access to 

and watch flow (historically.) (b) (7)(E) Also contains hashed pw which is likely crackable. 


Current Status: 
Current Priority: 
CUI: 


Closed 

Medium 

Maybe SBU Only 


Assigned To: SOC Tier-2 

Also Notify: 

Notify on Save: No 
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CUI Categories: 

Ok To Close: No 


Sensitive But Unciassified 


Reason SBU is 
suspected to be 
involved: 

SBU Media 
Format: 

Date & Time 

Incident 

Occurred: 

Scope of SBU 
Exposure: 

Original 

Information 

Owner: 


Protection of 
SBU Data 
Elements: 

Law 

Enforcement or 
IG Notified 
about SBU: 


How SBU was 
disclosed: 

SBU Media 

Format 

Medium: 

Date & Time of 
Discovery of 
SBU Loss: 

SBU Data 
Elements 
Exposed: 

Number of 
Individuals 
without the 
appropriate 
"Need to Know" 
for Information 
Associated with 
this Exposure: 

SBU Trade 
Secrets: 

Time to Report: 


Work Item Due Date 

Due Date: Due Date (UTC): 


Related Tasks 

Task ID Assigned To Due Date (UTC) Priority 

224176 ARCIRM 8/8/20115:43 High 

PM 

ARCIRT 
ARC ITSM 


Status 

Complete 


Description 
NASA user 

(b) (6), (b) (7)(C) has 
their password hash listed 
possibly by anonymous another 
hacker group. This may be all 
the info they have, but it may 
also be an indication of an 

I irtrnminfT roloaco nf riata fnr 


Resolution 

hash is from the vbulletin install 
on (b)(7)(E) (see SOC- 
20110808-224190). This is the 
only place this password is used 
and the system has been taken 
offline for console review. 


SENSITIVE BUT UNCLASSIFIED 


Page 2 


11/27/2018 




m^*Archer eGRC 

SENSITIVE BUT UNCLASSIFIED 


Related Incidents 

Select Relationship 

Relationship: Description: 

Parent Incident 

SOC Tracking Number Current Status Title 

No Records Found 

Child Incidents 

SOC Tracking Number Current Status Title 

No Records Found 

Sibling Incidents 

SOC Tracking Number Current Status Title 

No Records Found 

Lost or Stolen NASA Equipment Application 

Tracking ID Cause of Loss Type of System Lost Description of Circumstances 

No Records Found 


Host Information 
NASA Hosts 

IP Address IPv6 Address Host Name 

No Records Found 

External Hosts 

IP Address External IPv6 Address Host Name 

No Records Found 

Campaigns 

Campaign Reviewed By 

Name: TVA: 


Center/Facility 


Position in this attack 
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Confirmed By 
TVA: 

Is APT: 

Indicators of Compromise 
IOC Domain 

FQDN Do Sinkhole Comment 

No Records Found 

IOC IP 

IP Address IP Block Comment 

No Records Found 

IOC File 

Filename MD5 Hash Comment 

No Records Found 

IOC Registry Key 

Key Name Key Value Comment 

No Records Found 

IOC Email 

Sender Email Subject Comment 

No Records Found 

IOC Detection 

Name Type Comment 

No Records Found 



SENSITIVE BUT 

Campaign 

Comment: 


Costs 


Center (Hours): 

NASA SOC 
(Hours): 

NASA NOC 
(Hours): 

Other Costs 
(Hours): 


Center (Dollars) 

NASA SOC 
(Dollars): 

NASA NOC 
(Dollars): 

Other Costs 
(Dollars): 


Total Costs in Hours and Dollars are automatically calculated as the sum of the individual costs above. Center IR teams or managers should enter 
the Center costs, the NASA SOC Manager should enter the SOC Costs and the NOC Manager should enter the NOC costs, if any, in order to arrive 
at the Total Cost. 


Total Cost 
(Dollars): 

Description of 


Total Cost 
(Hours): 
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System Down System Down 

Time (Days): Time (Hours): 


Timeline 


Date Record 
Opened (UTC): 

8/8/2011 2:54 PM 

Date Record 8/11/2011 9:25 PM 

Confirmed 

(UTC): 

Date Record 

Contained 

(UTC): 

8/11/2011 9:25 PM 

Date Record 8/11/2011 9:25 PM 

Resolved (UTC): 

Date Record 
Closed (UTC): 

7/21/2016 8:04 PM 


Time in Open: 

3.25 


Time in 

Confirmed: 

1805.94 

Time to 3.00 

Confirm: 

Time in 

Contained: 

1805.94 

Time to Contain: 3.27 

Time in 

Resolved: 

1805.94375 

Time to Resolve: 3.27 

Time in Closed: 

858.46 

Time to Close: 1809.22 


Number of Days 3.272 
to Resolve: 


Journal Entries 

IMS User 

(b) (7)(C), (b) (6) 
(b) (7)(C), 

-Original Message. 

Subject: SQLvulnerfornasa.gov 
Date: Mon, 8 Aug 2011 15:44:28-0400 
From: (b) (7)(C), 

To: soc@nasa.gov 


Entry Entry Date 

All tasks complete, closing out ticket. 8/11/2011 9:24 PM 

User emailing soc@nasa.gov to report possible incident. Looked up in 8/8/2011 8:14 PM 
IMS and found this work-item. 


https://twitter.eom/#i/TeaMpOisoN_ Posted 

this(b) (7)(E) As per his twitter. He is liek Anonymous 

and hacks sites regularly. I try to warn people when i see they are 
targeted. 

Hate these guys. I will be glad when FBI or whoever gets them all. 
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Admin reported a compromise of (b) (7)(E) vbulletin server. 8/8/2011 7:45 PM 

Determined the hash was found from this compromise. Tracking via SOC- 
20110808-224190 

Attached a screenshot sent in from (b) (7)(C), . The screenshot doesn't 8/8/2011 6:50 PM 
show the server that they're saying is compromised, but it's likely that 
it's related to this specific incident. Contents of his email: 

Also saw this one: 


(b) (7)(E) 


Perhaps the SOC can open a separate ticket to look into this one. I am 
not 

sure if the site is considered hostile or not. I've attached the image that 
shows the issue to this e-mail. Can't tell the site or users though.. 


(b) 

Also on the one(b) (6), (b) were reporting (that NIH sent us earlier 8/8/2011 6:44 PM 
too): 

The hash itself appears to have been reported/requested for cracking on 
Jully 22 by user "666": 

(b) (7)(E) 


666 

Joined: 08 Feb 2011 
Posts: 72 


(b) (7)(E) 
(b) (7)(E) 


Posted: Fri Jul 22, 2011 11:17 am Post subject: 


thnx Admin 

(b) (7)(E) 


(b) (7) 

(b) (7)(C), 


(b) (7)(C), 
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-^b)(6), (b) IT Security Specialist NASA Office of the CIO Cyber Threat 
Analysis Program (CTAP)(b) (6), (b) (7)(C) On 8/8/11 

1:18 PM,(b) (6), (b) " wrote: 

> > 

> > Also saw this one: 

>>(b)(7)(E) 

> > 

> > 

> > Perhaps the SOC can open a separate ticket to look into this one. I am 
not 

> > sure if the site is considered hostile or not. I've attached the image 
that 

> > shows the issue to this e-mail. Can't tell the site or users though.. 

> > 

>'{b) 

> > 

> > 

> > 

>>On 8/8/111:11 PM, (b)(6), (b) (HQ-WIM51)" 

> > wrote: 

>>^>FYI, (b)(7)(E) 

» » 

» » ================ 


Nasa Vulnerable to a public SQL! Exploit - Embarassing much? 

Admin Username (b) 

Email: (b) (6), 

IJa^^^^ssword' M /\ / 


Admin Username: (b)(6), 
Email: (b)(6), (b) (7)(C) 
ashed Password (b) (7)(E) 


» » 

» » 

» » 

» » 

» » 

» » 

» » 

» » 

» » 

» » 

» » 

» » 

» » 

» » 

» » 

» » 

» » 

» » 

» » 

» » 

» » 

» » 

» » 

» » ’ 
to hit the 

» » interwebs soon ** 

» » 

» » ============= 

» » 

» » SOC folks, can you check into this to try to determine what server 
might have ___ _ __ 

Page 7 


- If shit like this is vulnerable to public exploits, imagine whats 

vulnerable 

to private Odays :) - 

[+] Trick - TeaMpOisoN 

[+] Shoutouts: iN'^SaNe - HexOOOlO- MET 

Twitter: 

@TeaMpOisoN_ 

‘NOTE: A joint #TeaMpOisoN & #Anonymous Operation is about 
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Called (b) (6), office and cell numbers and left messages about the 8/8/2011 6:23 PM 
task for the ARC user. 

Copy/paste from (b) (7) ; 8/8/2011 5:46 PM 



Nasa Vulnerable to a public SQL! Exploit - Embarassing much? 

Admin Username: (b) 

Email:(b)(6),(bW7)fC; „ 

Hashed Password 

(b)(7)(E) 

Admin Username: (b)(6), 

(b) (7) 


- If shit like this is vulnerable to public exploits, imagine whats vulnerable 
to private Odays :) - 

[+] Trick - TeaMpOisoN 

[+] Shoutouts: iN'^SaNe - HexOOOlO - MET 

Twitter: 

@TeaMpOisoN_ 

••NOTE: A joint STeaMpOisoN & SAnonymous Operation is about to hit 
the interwebs soon •• 


8/8/2011 2:54 PM 


-Original Message- 

Subject: NASA user password and more 
Date: Mon, 8 Aug 201110:41:42 -0400 
Erom: (b) (6), (b) (7)(C) [C] 

To: 'soc@nasa.gov' 


Looks like Teampoison and Anonymous are releasing something with 
regards 

to this. Their MO is usually SQLi, and dump any and everything they can. 
So can probably pivot around any publicly facing web systems that the 
user in this dump has access to and watch flow (historically.) 


(b)(7KE) 


Also contains hashed pw which is likely crackable. 


(b) (6), (b)(7)(C) 

NIH Incident Response Team (IRT) 

Office of the Chief Information Officer (OCIO) 




(b) (6). (b) 
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National Institutes of Health, HHS 
Phone: (b) (6), (b) 

Fax: (301) 594-3061 

E-mail (b) (6), (b) (7)(C) 

IRTLogo Protecting & Supporting NIH Research 


Attachment(s) 


Name 

Size 

Type 

Upload Date 

Downloads 

nasa.png 

85727 

•png 

8/8/2011 6:50 PM 

0 


History Log 

View History Log 
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